CreateProcessInternalW
|
thread_identifier:
2760
thread_handle:
0x000001bc
process_identifier:
2756
current_directory:
filepath:
track:
1
command_line:
C:\Users\test22\AppData\Local\Temp\bQrq.exe /stext "C:\Users\test22\AppData\Local\Temp\ctbhayyzie"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
inherit_handles:
0
process_handle:
0x000001d0
|
1
|
1 |
0
|
NtGetContextThread
|
thread_handle:
0x000001bc
|
1
|
0 |
0
|
NtUnmapViewOfSection
|
base_address:
0x00400000
region_size:
4096
process_identifier:
2756
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtMapViewOfSection
|
section_handle:
0x000001d8
process_identifier:
2756
commit_size:
0
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
base_address:
0x00400000
allocation_type:
0
()
section_offset:
0
view_size:
491520
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtSetContextThread
|
registers.eip:
1995571652
registers.esp:
1638384
registers.edi:
0
registers.eax:
4678260
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
thread_handle:
0x000001bc
process_identifier:
2756
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000001bc
suspend_count:
1
process_identifier:
2756
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
2820
thread_handle:
0x000001bc
process_identifier:
2816
current_directory:
filepath:
track:
1
command_line:
C:\Users\test22\AppData\Local\Temp\bQrq.exe /stext "C:\Users\test22\AppData\Local\Temp\nvpsbqitwmmnh"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
inherit_handles:
0
process_handle:
0x000001d0
|
1
|
1 |
0
|
NtGetContextThread
|
thread_handle:
0x000001bc
|
1
|
0 |
0
|
NtUnmapViewOfSection
|
base_address:
0x00400000
region_size:
4096
process_identifier:
2816
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtMapViewOfSection
|
section_handle:
0x000001cc
process_identifier:
2816
commit_size:
0
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
base_address:
0x00400000
allocation_type:
0
()
section_offset:
0
view_size:
356352
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtSetContextThread
|
registers.eip:
1995571652
registers.esp:
1638384
registers.edi:
0
registers.eax:
4543032
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
thread_handle:
0x000001bc
process_identifier:
2816
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000001bc
suspend_count:
1
process_identifier:
2816
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
2884
thread_handle:
0x000001bc
process_identifier:
2880
current_directory:
filepath:
track:
1
command_line:
C:\Users\test22\AppData\Local\Temp\bQrq.exe /stext "C:\Users\test22\AppData\Local\Temp\ppukcjtusufsrfkxy"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
inherit_handles:
0
process_handle:
0x000001d0
|
1
|
1 |
0
|
NtGetContextThread
|
thread_handle:
0x000001bc
|
1
|
0 |
0
|
NtUnmapViewOfSection
|
base_address:
0x00400000
region_size:
4096
process_identifier:
2880
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtMapViewOfSection
|
section_handle:
0x00000350
process_identifier:
2880
commit_size:
0
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
base_address:
0x00400000
allocation_type:
0
()
section_offset:
0
view_size:
147456
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtSetContextThread
|
registers.eip:
1995571652
registers.esp:
1638384
registers.edi:
0
registers.eax:
4334086
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
thread_handle:
0x000001bc
process_identifier:
2880
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000001bc
suspend_count:
1
process_identifier:
2880
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
2984
thread_handle:
0x000001bc
process_identifier:
2980
current_directory:
filepath:
track:
1
command_line:
C:\Users\test22\AppData\Local\Temp\bQrq.exe /stext "C:\Users\test22\AppData\Local\Temp\keicy"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
inherit_handles:
0
process_handle:
0x000001d0
|
1
|
1 |
0
|
NtGetContextThread
|
thread_handle:
0x000001bc
|
1
|
0 |
0
|
NtUnmapViewOfSection
|
base_address:
0x00400000
region_size:
4096
process_identifier:
2980
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtMapViewOfSection
|
section_handle:
0x00000360
process_identifier:
2980
commit_size:
0
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
base_address:
0x00400000
allocation_type:
0
()
section_offset:
0
view_size:
491520
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtSetContextThread
|
registers.eip:
1995571652
registers.esp:
1638384
registers.edi:
0
registers.eax:
4678260
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
thread_handle:
0x000001bc
process_identifier:
2980
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000001bc
suspend_count:
1
process_identifier:
2980
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
3044
thread_handle:
0x000001bc
process_identifier:
3040
current_directory:
filepath:
track:
1
command_line:
C:\Users\test22\AppData\Local\Temp\bQrq.exe /stext "C:\Users\test22\AppData\Local\Temp\uyvuzaya"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
inherit_handles:
0
process_handle:
0x000001d0
|
1
|
1 |
0
|
NtGetContextThread
|
thread_handle:
0x000001bc
|
1
|
0 |
0
|
NtUnmapViewOfSection
|
base_address:
0x00400000
region_size:
4096
process_identifier:
3040
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtMapViewOfSection
|
section_handle:
0x00000364
process_identifier:
3040
commit_size:
0
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
base_address:
0x00400000
allocation_type:
0
()
section_offset:
0
view_size:
356352
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtSetContextThread
|
registers.eip:
1995571652
registers.esp:
1638384
registers.edi:
0
registers.eax:
4543032
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
thread_handle:
0x000001bc
process_identifier:
3040
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000001bc
suspend_count:
1
process_identifier:
3040
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
908
thread_handle:
0x000001bc
process_identifier:
1964
current_directory:
filepath:
track:
1
command_line:
C:\Users\test22\AppData\Local\Temp\bQrq.exe /stext "C:\Users\test22\AppData\Local\Temp\fabfzsjbhhtd"
filepath_r:
stack_pivoted:
0
creation_flags:
4
(CREATE_SUSPENDED)
inherit_handles:
0
process_handle:
0x000001d0
|
1
|
1 |
0
|
NtGetContextThread
|
thread_handle:
0x000001bc
|
1
|
0 |
0
|
NtUnmapViewOfSection
|
base_address:
0x00400000
region_size:
4096
process_identifier:
1964
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtMapViewOfSection
|
section_handle:
0x00000368
process_identifier:
1964
commit_size:
0
win32_protect:
64
(PAGE_EXECUTE_READWRITE)
buffer:
base_address:
0x00400000
allocation_type:
0
()
section_offset:
0
view_size:
147456
process_handle:
0x000001d0
|
1
|
0 |
0
|
NtSetContextThread
|
registers.eip:
1995571652
registers.esp:
1638384
registers.edi:
0
registers.eax:
4334086
registers.ebp:
0
registers.edx:
0
registers.ebx:
2130567168
registers.esi:
0
registers.ecx:
0
thread_handle:
0x000001bc
process_identifier:
1964
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000001bc
suspend_count:
1
process_identifier:
1964
|
1
|
0 |
0
|
CreateProcessInternalW
|
thread_identifier:
3020
thread_handle:
0x000004a0
process_identifier:
3024
current_directory:
C:\Users\test22\AppData\Local\Temp
filepath:
C:\Windows\System32\wscript.exe
track:
1
command_line:
"C:\Windows\System32\WScript.exe" "C:\Users\test22\AppData\Local\Temp\qbpwgrxkesssvelmcaedlaeqpyoqte.vbs"
filepath_r:
C:\Windows\System32\WScript.exe
stack_pivoted:
0
creation_flags:
67634192
(CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles:
0
process_handle:
0x0000049c
|
1
|
1 |
0
|
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
2756
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000000fc
suspend_count:
1
process_identifier:
2816
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x00000108
suspend_count:
1
process_identifier:
2980
|
1
|
0 |
0
|
NtResumeThread
|
thread_handle:
0x000000fc
suspend_count:
1
process_identifier:
3040
|
1
|
0 |
0
|